PERSONAL DATA PROCESSING POLICY

Last updated: January 06, 2026

1. General Provisions

1.1. This Personal Data Processing Policy (hereinafter - "Policy") defines the procedure for processing and protecting personal data of users of:

• The website https://guitarsongs.club (hereinafter - "Website")
• The mobile application "Guitar Songs" for Android (hereinafter - "Application")

The Website and Application are collectively referred to as the "Service".

1.2. The personal data controller is an individual (hereinafter - "Operator"):

• Full name: Aleksandr Suslov
• Contact email: guitarsongs.club@gmail.com

1.3. Use of the Service constitutes your unconditional consent to this Policy and the terms of personal data processing. If you disagree with the terms of the Policy, you must stop using the Service.

1.4. This Policy has been developed in accordance with:

• EU General Data Protection Regulation (GDPR)
• Other applicable regulations in the field of personal data protection

2. Basic Definitions

2.1. Personal data - any information relating to a directly or indirectly identified or identifiable natural person.

2.2. Processing of personal data - any action or set of actions performed with personal data, including collection, recording, systematization, accumulation, storage, clarification, use, transfer, anonymization, blocking, deletion, destruction.

2.3. Operator - a person who independently or jointly with other persons organizes and/or carries out the processing of personal data.

2.4. User - a natural person using the Service.

3. What Personal Data We Collect

3.1. When Using the Website

Registration is not required to view content on the Website. When authorizing via Google OAuth 2.0 to add or edit content, we receive:

• Username (can be changed by the user in profile settings)
• Email address (stored exclusively as a SHA-256 hash)
• Google unique user identifier

3.2. When Using the Application

Registration is not required to view content in the Application. When voluntarily authorizing to synchronize data between devices, we receive:

When authorizing via Firebase Authentication (email/password):

• Email address (stored locally on the user's device; only the SHA-256 hash is transmitted during synchronization)
• Firebase unique user identifier

When authorizing via Google Sign-In:

• Email address (stored locally on the user's device; only the SHA-256 hash is transmitted during synchronization)
• Google unique user identifier

3.3. Synchronized Data

When authorizing in the Application or on the Website, the following are automatically synchronized:

• List of favorite songs
• User-created playlists
• User-added songs
• Artists removed by the user
• Personal display settings (font size, scroll speed, etc.)

3.4. Technical Data and Analytics

Firebase Analytics collects (optional, requires your consent):

• Information about the use of Application features
• Song view statistics
• Application usage time
• Device technical characteristics (model, Android version, etc.)
• Anonymous application installation identifier
• Country and region (based on IP address)

You can decline Firebase Analytics when first launching the Application or at any time in settings (Settings → Information).

Firebase Crashlytics collects (enabled by default, can be disabled):

• Data about crashes and errors in the Application
• Device technical characteristics
• Application version
• Call stack when an error occurs
• Information about the device state at the time of the crash

Firebase Crashlytics helps us identify and fix errors to ensure stable operation of the Application. You can disable crash report submission in the Application settings (Settings → System → Send crash reports).

The Website web server automatically collects:

• IP address
• Browser type and operating system
• Date and time of access
• Address of the page from which the transition was made
• Pages viewed

3.5. Data for Personalized Advertising

Advertisements may be displayed when using the Application. To show personalized advertising, we use:

• User Messaging Platform (UMP) - to collect your consent for personalized advertising in accordance with GDPR requirements
• Advertising ID - an anonymous device identifier used to personalize advertising

You can:

• Consent to the display of personalized advertising
• Refuse personalized advertising (in which case contextual advertising will be shown)
• Change your decision at any time in the Application settings

4. Purposes of Personal Data Processing

We process your personal data for the following purposes:

4.1. Providing Access to Service Features

• User authorization on the Website and in the Application
• Ability to add and edit content on the Website
• Synchronization of favorites, playlists, and settings between devices
• Account recovery

4.2. Improving Service Quality

• Analysis of feature usage (via Firebase Analytics)
• Identification and correction of errors (via Firebase Crashlytics)
• Improvement of user interface
• Development of new features

4.3. Communication with Users

• Responses to user inquiries
• Notification of changes in Service operation
• Notifications of important updates

4.4. Compliance with Legislation

• Fulfillment of applicable legal requirements
• Prevention of fraud and abuse
• Protection of the rights and security of the Operator and other users

5. Legal Bases for Processing Personal Data

Personal data processing is carried out on the following legal bases (in accordance with Article 6 GDPR):

5.1. Consent of the Data Subject (Art. 6(1)(a) GDPR)

• When registering and authorizing, you give explicit consent to data processing
• When first launching the Application, you confirm consent to the Policy
• When using UMP, you give consent to personalized advertising
• When using Firebase Analytics, you give voluntary consent to the collection of analytical data

5.2. Performance of a Contract (Art. 6(1)(b) GDPR)

• Data processing is necessary to provide you access to Service features
• Synchronization of data between devices at your request

5.3. Legitimate Interests of the Operator (Art. 6(1)(f) GDPR)

• Use of Firebase Crashlytics to identify and fix critical errors, ensuring stability and security of the Application
• Improvement of Service quality and security
• Protection against fraud and abuse

You have the right to object to processing based on legitimate interests and can disable Firebase Crashlytics in the Application settings.

6. Methods of Processing and Storing Personal Data

6.1. Collection of Personal Data

• When authorizing via Google OAuth 2.0 on the Website, the user grants access to their name and email address
• In the Application, the user can authorize by email via Firebase Authentication or via Google Sign-In
• Technical data is collected automatically when using the Service

6.2. Storage of Personal Data

• User data is stored on secure Firebase servers (Google Cloud Platform)
• Website data is stored on hosting provider servers
• Synchronized data (favorites, playlists, settings) is stored on hosting provider servers

6.3. Security Measures

We apply the following measures to protect your data:

• Encryption of data transmission (SSL/TLS)
• Email addresses are stored exclusively as SHA-256 hashes, making it impossible to recover the original email
• Restriction of access to personal data
• Regular backups
• Use of modern authentication methods

6.4. Retention Periods

• Account data: stored until account deletion by the user or upon their request
• Synchronized data: stored until account deletion
• Server logs: stored for up to 12 months from the date of collection
• Analytics data: stored according to Google's policy (up to 14 months)
• Crash data: stored according to Google's policy (up to 90 days)

7. Transfer of Personal Data to Third Parties

We transfer your personal data to the following categories of recipients:

7.1. Google LLC / Google Ireland Limited

Data is transferred to Google when using:

• Google OAuth 2.0 for authorization on the Website
• Firebase Authentication for authorization in the Application
• Google Sign-In (CredentialManager) in the Application
• Firebase Analytics for usage analysis (optional, requires your consent)
• Firebase Crashlytics for crash data collection (enabled by default, can be disabled in settings)
• AdMob for advertising display (if enabled)
• User Messaging Platform (UMP) for consent collection

Google processes data in accordance with their Privacy Policy.

Data transfer outside the EU: Google complies with EU Standard Contractual Clauses for data transfer to third countries.

7.2. Website Hosting Provider

To host the Website, hosting provider services are used, which may have access to technical data (IP addresses, server logs).

7.3. Advertising Networks and Mediation Platforms

The Application uses the following advertising networks and platforms to display advertisements:

• Google AdMob (Google LLC / Google Ireland Limited) — an advertising network. Data processing is carried out in accordance with the Google Privacy Policy
• CAS.AI (CleverAdsSolutions) — an advertising mediation platform that combines multiple advertising networks. CAS.AI may transfer data to the following partners: Google AdMob, Unity Ads, AppLovin, ironSource, Vungle, Chartboost, InMobi, Pangle (TikTok), Meta Audience Network, and other networks depending on mediation settings. A complete list of CAS.AI partners is available at https://cas.ai Data processing is carried out in accordance with the CAS.AI Privacy Policy
• Yandex Advertising Network (Yandex LLC, Russia) — for displaying advertisements to Russian users. Data processing is carried out in accordance with Yandex Privacy Policy

7.4. Data Transfer as Required by Law

We may disclose personal data if required:

• By request of competent authorities
• To comply with applicable law
• To protect our rights and security
• To prevent fraud

Important: We do not sell or transfer your personal data to third parties for commercial purposes.

8. Cookies and Similar Technologies

8.1. What are Cookies

Cookies are small text files that are saved on your device when you visit the Website.

8.2. What Cookies We Use

On the Website:

• Essential cookies: for authorization and session management
• Functional cookies: for saving user settings
• Analytics cookies: for traffic analysis

In the Application:

• Firebase uses similar technologies to save authorization state
• Advertising ID is used to personalize advertising (with your consent)

8.3. Cookie Management

You can:

• Manage cookies through your browser settings
• Disable cookies (this may limit Website functionality)
• Reset Advertising ID in Android settings
• Revoke consent for personalized advertising in Application settings

9. Your Rights (GDPR)

In accordance with GDPR, you have the following rights regarding your personal data:

9.1. Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation of whether your personal data is being processed, and if so, to obtain access to that data.

9.2. Right to Rectification (Art. 16 GDPR)

You have the right to request rectification of inaccurate personal data.

9.3. Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You have the right to request deletion of your personal data.

How to delete your account:

1. In the Application: open Settings -> Synchronization -> Account and tap the "Delete Account" button
2. On the Website: go to Profile -> Edit and click "Delete Account"
3. By email: send a request to guitarsongs.club@gmail.com

When deleting your account, the following will be deleted:

• Your username
• Email address
• Favorites list
• All created playlists
• Personal settings
• Authorization data

Important: Songs that you added through the Website will NOT be deleted and will remain available to other users, as they are part of the Service's publicly available database. If you want to delete specific songs, do so through the website yourself or contact us before deleting your account.

9.4. Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request restriction of processing of your personal data in certain cases.

9.5. Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used machine-readable format and transfer it to another operator.

How to request data: send a request to guitarsongs.club@gmail.com. We will provide your data in JSON format within 30 days.

9.6. Right to Object (Art. 21 GDPR)

You have the right to object to the processing of your personal data based on the legitimate interests of the operator.

How to disable Firebase Crashlytics:

1. Open the Application
2. Go to Settings → System
3. Disable the "Send crash reports" toggle

After disabling, Firebase Crashlytics will stop collecting crash data on your device.

9.7. Right to Withdraw Consent (Art. 7(3) GDPR)

You have the right to withdraw your consent to the processing of personal data at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

How to withdraw consent:

• To withdraw consent for Firebase Analytics: change settings in the Application
• To withdraw consent for personalized advertising: change settings in the Application
• To withdraw general consent: delete your account or write to guitarsongs.club@gmail.com

9.8. Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates GDPR.

Competent supervisory authority (Germany):
Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Graurheindorfer Str. 153
53117 Bonn
Phone: +49 (0)228-997799-0
Email: poststelle@bfdi.bund.de
Website: www.bfdi.bund.de

9.9. Exercising Your Rights

To exercise any of the specified rights, contact us:

• Email: guitarsongs.club@gmail.com
• Subject line: "GDPR Request"

We will respond to your request within 30 days of receipt. In complex cases, the period may be extended to 60 days with notification of the reasons for the delay.

10. Personal Data of Minors

10.1. The Service is not intended for persons under 16 years of age.

10.2. We do not knowingly collect personal data from persons under 16 years of age. If we become aware that we have collected personal data from a minor without parental consent, we will take steps to delete such data.

10.3. If you are a parent or guardian and have learned that your child has provided us with personal data, please contact us at guitarsongs.club@gmail.com.

11. Automated Decision-Making and Profiling

11.1. We do not use automated decision-making that may have legal consequences for you or significantly affect you.

11.2. Firebase Analytics may use automated analysis to create aggregated statistics, but this does not result in decisions affecting you personally.

11.3. Advertising personalization is performed automatically based on your Advertising ID, but you can opt out of this at any time.

12. Changes to the Privacy Policy

12.1. We reserve the right to change this Policy at any time.

12.2. We will notify you of significant changes by one of the following methods:

• Publication of a notice on the Website
• Notification in the Application on next launch

12.3. Continued use of the Service after the changes take effect constitutes your consent to the updated Policy.

12.4. The date of the last update is indicated at the beginning of the document.

13. Contact Information

13.1. For all questions related to the processing of personal data and this Policy, you can contact us:

Email: guitarsongs.club@gmail.com

13.2. We undertake to respond to your requests within 30 days of receipt.

14. Final Provisions

14.1. This Policy is an integral part of the User Agreement.

14.2. In case of contradictions between this Policy and other documents, this Policy takes precedence in matters relating to personal data processing.

14.3. If any provision of this Policy is found to be invalid, the remaining provisions remain in force.

By using our Service, you confirm that you have read, understood, and agree to the terms of this Personal Data Processing Policy.